What do you not want right now? A bunch of Cisco SD-WAN, Webex vulnerabilities? Here are a bunch of them
Switchzilla says remote networking gear has a grab-bag of holes
Cisco has issued a series of security updates for its SD-WAN and Webex software, just when they're most needed.
Switchzilla says the SD-WAN code is host to five vulnerabilities ranging from privilege escalation to remote code injection. The five CVE-listed bugs (CVE-2020-3264, CVE-2020-3265, CVE-2020-3266, CVE-2019-16010, CVE-2019-16012) are down to what Cisco calls "insufficient input validation," and the avenues to exploit it range from SQL to HTTP requests.
"An attacker could exploit this vulnerability by sending crafted traffic to an affected device," Cisco said in one of the disclosures.
"A successful exploit could allow the attacker to gain access to information that they are not authorized to access and make changes to the system that they are not authorized to make."
For each of the three CVE-2020 cases, Cisco classifies the security holes as being "high" risk – with at least one being a buffer overflow leading to code execution.
Thought you were done after Tuesday's 115-fix day? Not yet: Microsoft emits SMBv3 worm-cure crisis patchREAD MORE
“It’s interesting to note that the three bugs have different impacts (privilege escalation, command injection, and buffer overflow), but all three list the same root cause: insufficient input validation,” said Dustin Childs, manager at Trend Micro’s ZDI program, in an email to The Register.
“The medium-rated bugs (XSS and SQL Injection) could also list insufficient input validation as a root cause. This should serve as a reminder to developers that (much like hands) input must be sanitized, even if they think it comes from a trusted source.”
Meanwhile, the Webex video-conferencing software also needs some sorting out right when everyone's working from home amid the coronavirus pandemic.
The patch bundle includes a fix for Cisco Webex Network Recording Player for Microsoft Windows and Cisco Webex Player for Microsoft Windows. A hacker can send a suitably crafted file in either the Advanced Recording Format (ARF) or the Webex Recording Format (WRF), and if the recipient clicks on it on a vulnerable computer, they get pwned. iOS users also need to patch an information-disclosure bug.
The other fixes mention SQL injection and cross-site scripting flaws.
"The vulnerability exists because the web UI improperly validates SQL values," Cisco said. "An attacker could exploit this vulnerability by authenticating to the application and sending malicious SQL queries to an affected system."
The bugs arrive at, to say the least, an inopportune time for administrators. With the Coronavirus locking down a number of cities, counties, and countries, WAN and VPN connections are in high demand from suddenly remote employees. Last week, vendors reported a surge in traffic to VPNs as employees switch from in-office to remote working. ®